Danika Lyon

Introduction

Technology has fundamentally changed how businesses, acquiring banks, and card networks work together. The rise of software platforms has accelerated the change: increasingly, these platforms are connecting buyers and sellers in new ways, adding payments functionality, and creating new purchase experiences.

In this guide, we’ll explore what a payment facilitator (often abbreviated as payfac or PF) is, identify whether your business needs to become a payfac to achieve your goals, and examine the considerations and costs of becoming a registered payfac.

If you have any questions or would like to review your specific platform and business model with Stripe, just get in touch — we’d be happy to help.

Interested in more information like this?

What is a payment facilitator?

Today, many platforms and marketplaces help merchants accept payments by providing online services for companies of all sizes. Payments functionality has become integral for these platforms to differentiate their product and create stickiness, and merchants using the platform no longer need to establish direct relationships with acquiring banks or payment gateways.

Below are some of the most common types of platforms and marketplaces:

E-commerce: Platforms, such as Shopify and Squarespace, which help businesses or individuals sell physical goods online.

Invoicing: Platforms, like Xero and FreshBooks, which help businesses invoice their clients.

Fundraising: Platforms, such as Blackbaud and Kindrid, which help nonprofits and charities raise money or collect donations.

Booking: Platforms, like MINDBODY and FareHarbor, which facilitate the scheduling of appointments.

Travel and ticketing: Marketplaces, like Airbnb and Victor, which help connect individuals with accommodations and experiences.

Retail: Marketplaces, such as Tradesy, which help individuals sell to each other.

While each type of platform or marketplace is different, many have made payments a core part of the customer experience. Adding payments capabilities is a relatively new way to differentiate service offerings and brands.

Traditionally, adding payments functionality required a platform or marketplace to register and maintain status as a payment facilitator with the card networks (e.g., Visa or Mastercard) since it was seen as controlling the flow of funds (i.e., how money moves between buyers and sellers).

Payment facilitation operates at the nexus of banks, card networks, and regulatory organizations. All three share a responsibility to ensure the security and soundness of the payments ecosystem, and payment facilitators are a unique operating category with associated requirements.

In general, payment facilitators fall into three categories:

Commerce platform providers like Stripe, which enable digital transactions through innovative or enhanced technology on a white label basis. The platform owns payment flows and is responsible for paying out funds to its merchants (referred to as sub-merchants) directly.

Independent software vendors — or ISVs — that white label another solution. The ISV directly offers payment solutions but does not control the underlying technology.

Marketplaces or platforms that aggregate a set of sub-merchants, generally serve as the merchant of record, and control the flow of funds and payouts to sub-merchants.

Even though there are a variety of models, payfacs are actually quite rare. (There are only a few hundred registered payfacs in the US.) Today, it’s easy to add the payments functionality that most platforms and marketplaces require without becoming a payfac—by using a solution like Stripe Connect.

History of payfacs

The payfac model was popularized in the late 1990s as a way to help small- and medium-size businesses accept online payments more easily. Historically, a bank’s onboarding requirements catered to larger businesses that could manage the complex, costly, and time-consuming legacy setup processes. Essentially, these companies had to become experts in payments while also building their core business and product.

The payfac model emerged to give companies that specialized in payments the ability to reduce the complexity of getting started with online payments and offer services to a broader array of businesses, allowing them to focus on their core competencies.

The payfac takes on setting up and managing multiple relationships and systems—the ones the merchant would otherwise need to establish and maintain with each individual party.

Payfacs vs. ISOs

For historical context, the card networks (e.g., Visa and Mastercard) created the concept of a third-party agent (TPA), which is a category that broadly includes independent sales organizations (ISOs), payfacs, and other businesses that provide payment services to merchants. The card networks require banks to register these TPAs to ensure the following:

Merchants and TPAs adhere to the card networks’ rules.

Merchants are properly underwritten and monitored.

Settlement, funding, and reserve requirements are met.

Payment card data collection and storage meet security requirements.

ISOs often come up in conversations related to payfacs, but they’re not the same thing. Here’s how to distinguish a payfac from an ISO:

In short, the payfac controls the flow of funds and assumes responsibility for paying out funds to merchants directly, which has stricter verification and security requirements and is subject to additional compliance regulations. An ISO serves as an extension of the acquiring bank and provides merchant processing services on the acquirer’s behalf and does not control the flow of funds.

What do payfacs do?

Payfacs open a merchant bank account and receive a merchant ID (MID) to acquire and aggregate payments for a group of smaller merchants, typically called sub-merchants. Payfacs have embedded payment systems and register their master MID with an acquiring bank. Sub-merchants, on the other hand, are not required to register their unique MIDs—instead, transactions are aggregated under the payfac’s master MID. This is meant to reduce the complexity that sub-merchants would face setting up online payments on their own by eliminating the need for them to establish and maintain relationships with an acquiring bank, payment gateway, and other service providers.

Payfacs simplify the online payments setup for sub-merchants.

What are payfacs responsible for?

Financial partners, card networks, regulators, and acquirers are most concerned with the following when it comes to payment facilitation:

Controlling who is on the platform: Setting up the right onboarding processes and building trust in those processes.

Meeting KYC, AML, and OFAC compliance requirements: Ensuring sub-merchants are verified to control for money laundering, terrorist financing, and other risks and meeting Know Your Customer (KYC), anti-money laundering (AML), and the US Office of Foreign Asset Control (OFAC) requirements. If operating internationally, there are many other regulatory bodies to consider.

Auditing account activity on the platform: Putting controls in place to track and mitigate high-risk financial activity on an ongoing basis.

Being PCI compliant: Ensuring the platform is Payment Card Industry (PCI) compliant and all sub-merchants are accepting payments from customers in a compliant way. To learn more, review our guide to PCI compliance.

Though these four categories are clear, it’s difficult to find a consistent description of a payfac’s granular responsibilities. Even the card networks have their own nuanced definitions.

Visa defines a payment facilitator as a third-party agent that may do the following:

Sign a merchant acceptance agreement on behalf of an acquirer.

Receive settlement of transaction proceeds from an acquirer, on behalf of a sub-merchant.

Mastercard defines a payment facilitator as a service provider, registered by an acquiring bank (merchant processor, to be more specific), to facilitate transactions on behalf of sub-merchants. Under Mastercard’s rules, a payfac has several responsibilities:

Conduct due diligence on each sub-merchant.

Monitor all sub-merchant activity to ensure compliance with Mastercard’s standards.

Maintain PCI compliance.

Only use settlement funds to pay sub-merchants.

If a sub-merchant exceeds 100.000 MYR in annual Mastercard transaction volume, the sub-merchant is required to enter into a direct merchant agreement with the acquiring bank.

Each acquiring bank also has different rules for payfacs, which form a complex web of requirements between card networks and banks. Combined, think of a payfac as an entity that handles the relationships with card networks, sub-merchant onboarding, and payment services for merchants. The payfac directly handles paying out funds to sub-merchants.

Most of the requirements for payfacs are enforced by the card networks and acquiring banks. However, regional differences influence how stringently card networks and banks enforce these requirements in the Americas, Europe, and Asia. For example, Visa and Visa Europe are two different entities and may apply rules differently.

How to become a payfac

Becoming a payfac requires building and investing in multiple systems for payment processing, sub-merchant onboarding, compliance, risk management, payouts, and more. Payfacs also have ongoing requirements to maintain their good standing and credit requirements with acquiring banks and card networks.

The Electronic Transactions Association (an advisory organization with members from banks, card networks, and payment processors, also referred to as ETA) strongly recommends engaging industry experts and legal counsel to ensure adherence to laws and guidance that span card networks, acquiring banks, state and federal governments, and global regulatory organizations (e.g., OFAC).

Set up payment systems:

Find an acquiring bank: Prospective payfacs approach acquirers with a business plan in order to establish a partnership and get sponsored to facilitate payments for sub-merchants.

Obtain Level 1 PCI DSS certification: To ensure the security of sensitive data, the payfac is required to be Payment Card Industry Data Security Standard (known as PCI DSS) certified, which may also include Europay, Mastercard, and Visa (EMV or chip) certification if the payfac supports in-person transactions.

Set up merchant onboarding and compliance systems:

Create underwriting policies and systems to ensure only lawful businesses that comply with card network and acquirer rules are onboarded. The payfac’s system and employees will need to do the following:

Verify identities of sub-merchants, including KYC, ownership structure, and business details.

Check OFAC and MATCH lists for sub-merchants before onboarding; Mastercard manages the Member Alert to Control High-Risk Merchants (MATCH) list.

Prevent and block fraud: Proactively prevent fraud on the platform and block or review suspicious transactions. Best practices include using adaptive machine learning for fraud detection. Submit evidence to card networks when needed for chargebacks on behalf of sub-merchants.

Pay out funds to sub-merchants: Ensure sub-merchants are paid their earnings on time.

Reporting and reconciliation: Generate and distribute 1099s or other tax forms as needed annually.

Renew payfac registration and licenses: Re-register as a payfac with card networks annually, and update or renew MTLs on the required cadence.

Global expansion

If the platform needs to operate internationally and support sub-merchants in other regions, partnerships with local acquirers, gateways, and other service providers may be necessary. In general, platforms build local systems from scratch in order to adapt to local requirements or support multiple regions.

Governments and regulators may also have different requirements based on geography. The new European payments law, known as the second Payment Services Directive or PSD2, recently introduced major changes that significantly impact multisided platforms, or marketplace businesses, in Europe. Many of these businesses can no longer rely on an exemption from licensing that they availed of previously. Platforms that control the flow of funds need to acquire an e-money license, which can take months and millions of euros to obtain.

Adapt to changing landscapes

The definition of a payment facilitator is still evolving—so is its role. (The Electronic Transactions Association, or ETA, published a 73-page report with new guidelines in September 2018.) Any investments made now to become a payfac will require updates over time to meet changing regulations and requirements.

Due diligence and risk management to ensure all sub-merchants stay in compliance

Update risk systems on regular cadence

Maintain platform-level balances or reserves on sub-merchants to protect against credit risk

250.000 MYR+ per year (1 FTE at 150.000 MYR per year and 1 risk analyst at 100.000 MYR per year)

Fraud prevention

Operate or integrate with third-party systems to prevent and block fraud

0,04 MYR–0,10 MYR per transaction

Chargeback management

Handle chargeback and evidence submission

15 MYR per dispute

Payouts and funds routing

Ensure merchants get paid out on the right schedule

0,25 MYR per transaction

Reporting and reconciliation

Generate and distribute 1099s or other tax forms as required (1099s cost as little as 5 MYR per form to generate, but can incur up to 250 MYR in fees if filed incorrectly)

Run platform-level financial close processes and financial audits as needed

5 MYR–255 MYR per form

100.000 MYR per year (1 finance FTE)

Annual PCI validation

Validate Level 1 PCI DSS compliance every year and re-validate any time changes are made to payment flows throughout the year

200.000 MYR+ per year

Renew payfac registration (and other licenses, if needed)

Re-register as a payfac with Visa and Mastercard (5.000 MYR per year each)

Renew money transmission licenses every 2 years

10.000 MYR+ per year

Alternatives to becoming a payfac

Becoming a payfac requires significant time and monetary investment. The good news is that for most business models, including platforms that want to help their users accept payments, becoming a payfac is not necessary. Platforms that use Stripe Connect, which is a product built specifically for platforms and marketplaces, stay outside the flow of funds while still providing customized experiences to sub-merchants for accepting payments.

Stripe Connect is API-first and lets platforms design the best experience for their customers. Platforms get the ability to do the following:

Scale the business globally without having to establish local bank accounts and company entities in each market.

Meanwhile, Stripe takes on the payment processing responsibility and handles the flow of funds, which simplifies not only the integration work required but also the operational overhead of managing payments.

Today, there are only a few scenarios where becoming or staying a payfac is required for platforms and marketplaces:

If the platform needs to hold money in escrow or for an extended period of time.

If the platform has set up specific fund flows that require money transmission licenses in certain states.

If the platform has existing legacy systems that require registering as a payfac.

Even in these cases, simple workarounds could allow the platform to use Stripe:

Determine if funds really need to be held for more than 30 days or if there are other ways to manage user funds.

Consider similar fund flows that accomplish the platform’s goals without requiring money transmission licenses, or use Stripe Connect to remain outside the flow of funds.

Even though there are a lot of considerations, costs, and risks to becoming a payfac, there are a lot of benefits to adding payments to a platform or marketplace. Payments functionality can help differentiate the platform in competitive markets and improve the experience for sub-merchants.

If you’d like to learn more about Stripe Connect, visit our website. If you’d like to talk to our team about your specific use case and brainstorm approaches, please get in touch.

Interested in more information like this?

Share your email so Stripe can send you updates on payfacs, guides, and industry news.